diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2019-11-08 15:12:23 +0100 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2019-11-10 23:22:15 +0100 |
commit | 084870f9c0c03d5766d272828254f8d0a7aacf66 (patch) | |
tree | 6c95b944b9257d99002600c7a4f1474fafea0cd2 | |
parent | 77abd02985415fc90db03511b6bcc4479f61f81f (diff) | |
download | systemd-084870f9c0c03d5766d272828254f8d0a7aacf66.tar.gz |
core: rename CGROUP_AUTO/STRICT/CLOSED to CGROUP_DEVICE_POLICY_…
The old names were very generic, and when used without context it wasn't at all
clear that they are about the devices policy.
-rw-r--r-- | src/core/bpf-devices.c | 6 | ||||
-rw-r--r-- | src/core/cgroup.c | 14 | ||||
-rw-r--r-- | src/core/cgroup.h | 11 | ||||
-rw-r--r-- | src/core/unit.c | 6 |
4 files changed, 18 insertions, 19 deletions
diff --git a/src/core/bpf-devices.c b/src/core/bpf-devices.c index 693ff124c5..3b8e0ac7f8 100644 --- a/src/core/bpf-devices.c +++ b/src/core/bpf-devices.c @@ -132,14 +132,14 @@ int cgroup_init_device_bpf(BPFProgram **ret, CGroupDevicePolicy policy, bool whi assert(ret); - if (policy == CGROUP_AUTO && !whitelist) + if (policy == CGROUP_DEVICE_POLICY_AUTO && !whitelist) return 0; r = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE, &prog); if (r < 0) return log_error_errno(r, "Loading device control BPF program failed: %m"); - if (policy == CGROUP_CLOSED || whitelist) { + if (policy == CGROUP_DEVICE_POLICY_CLOSED || whitelist) { r = bpf_program_add_instructions(prog, pre_insn, ELEMENTSOF(pre_insn)); if (r < 0) return log_error_errno(r, "Extending device control BPF program failed: %m"); @@ -160,7 +160,7 @@ int cgroup_apply_device_bpf(Unit *u, BPFProgram *prog, CGroupDevicePolicy policy return 0; } - const bool deny_everything = policy == CGROUP_STRICT && !whitelist; + const bool deny_everything = policy == CGROUP_DEVICE_POLICY_STRICT && !whitelist; const struct bpf_insn post_insn[] = { /* return DENY */ diff --git a/src/core/cgroup.c b/src/core/cgroup.c index 747543a995..48a320fc9d 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c @@ -1392,7 +1392,7 @@ static void cgroup_context_apply( /* Changing the devices list of a populated cgroup might result in EINVAL, hence ignore EINVAL * here. */ - if (c->device_allow || c->device_policy != CGROUP_AUTO) + if (c->device_allow || c->device_policy != CGROUP_DEVICE_POLICY_AUTO) r = cg_set_attribute("devices", path, "devices.deny", "a"); else r = cg_set_attribute("devices", path, "devices.allow", "a"); @@ -1401,8 +1401,8 @@ static void cgroup_context_apply( "Failed to reset devices.allow/devices.deny: %m"); } - if (c->device_policy == CGROUP_CLOSED || - (c->device_policy == CGROUP_AUTO && c->device_allow)) { + if (c->device_policy == CGROUP_DEVICE_POLICY_CLOSED || + (c->device_policy == CGROUP_DEVICE_POLICY_AUTO && c->device_allow)) { static const char auto_devices[] = "/dev/null\0" "rwm\0" "/dev/zero\0" "rwm\0" @@ -1570,7 +1570,7 @@ static CGroupMask unit_get_cgroup_mask(Unit *u) { mask |= CGROUP_MASK_MEMORY; if (c->device_allow || - c->device_policy != CGROUP_AUTO) + c->device_policy != CGROUP_DEVICE_POLICY_AUTO) mask |= CGROUP_MASK_DEVICES | CGROUP_MASK_BPF_DEVICES; if (c->tasks_accounting || @@ -3708,9 +3708,9 @@ int compare_job_priority(const void *a, const void *b) { } static const char* const cgroup_device_policy_table[_CGROUP_DEVICE_POLICY_MAX] = { - [CGROUP_AUTO] = "auto", - [CGROUP_CLOSED] = "closed", - [CGROUP_STRICT] = "strict", + [CGROUP_DEVICE_POLICY_AUTO] = "auto", + [CGROUP_DEVICE_POLICY_CLOSED] = "closed", + [CGROUP_DEVICE_POLICY_STRICT] = "strict", }; int unit_get_cpuset(Unit *u, CPUSet *cpus, const char *name) { diff --git a/src/core/cgroup.h b/src/core/cgroup.h index a66c702125..3d4bb4142d 100644 --- a/src/core/cgroup.h +++ b/src/core/cgroup.h @@ -18,16 +18,15 @@ typedef struct CGroupBlockIODeviceWeight CGroupBlockIODeviceWeight; typedef struct CGroupBlockIODeviceBandwidth CGroupBlockIODeviceBandwidth; typedef enum CGroupDevicePolicy { - - /* When devices listed, will allow those, plus built-in ones, - if none are listed will allow everything. */ - CGROUP_AUTO, + /* When devices listed, will allow those, plus built-in ones, if none are listed will allow + * everything. */ + CGROUP_DEVICE_POLICY_AUTO, /* Everything forbidden, except built-in ones and listed ones. */ - CGROUP_CLOSED, + CGROUP_DEVICE_POLICY_CLOSED, /* Everything forbidden, except for the listed devices */ - CGROUP_STRICT, + CGROUP_DEVICE_POLICY_STRICT, _CGROUP_DEVICE_POLICY_MAX, _CGROUP_DEVICE_POLICY_INVALID = -1 diff --git a/src/core/unit.c b/src/core/unit.c index 5f2ca44701..137a110cc2 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -4303,11 +4303,11 @@ int unit_patch_contexts(Unit *u) { if (cc && ec) { if (ec->private_devices && - cc->device_policy == CGROUP_AUTO) - cc->device_policy = CGROUP_CLOSED; + cc->device_policy == CGROUP_DEVICE_POLICY_AUTO) + cc->device_policy = CGROUP_DEVICE_POLICY_CLOSED; if (ec->root_image && - (cc->device_policy != CGROUP_AUTO || cc->device_allow)) { + (cc->device_policy != CGROUP_DEVICE_POLICY_AUTO || cc->device_allow)) { /* When RootImage= is specified, the following devices are touched. */ r = cgroup_add_device_allow(cc, "/dev/loop-control", "rw"); |